BDD FOR AUTOMATING WEB APPLICATION TESTING. Stephen de Vries

Size: px
Start display at page:

Download "BDD FOR AUTOMATING WEB APPLICATION TESTING. Stephen de Vries"

Transcription

1 BDD FOR AUTOMATING WEB APPLICATION TESTING Stephen de Vries

2

3 INTRODUCTION Security Testing of web applications, both in the form of automated scanning and manual security assessment is poorly integrated into the software development lifecycle (SDL) when compared to other testing activities such as Unit or Integration tests. Agile methodologies such as Test Driven Development advocate a test first approach, where the tests themselves form the specification for the software. These effectively form an executable specification that grows with the application. If the same approach could be taken with security requirements and testing, then the security domain could also benefit from the advantages of automated integration testing. Existing testing frameworks and web integration testing tools can be used to create an integration testing framework aimed specifically at security. This would provide security testing templates which could be applied to common web application features, a framework for writing bespoke security tests, and provide integration with existing web scanning tools. This paper presents such a security testing framework together with the tools required to integrate it with the Burp Suite scanner. PROBLEMS WITH SECURITY SCANNING Security Testing is usually performed by external security consultants using broadly defined testing methodologies. The result of which is a report containing a list of security vulnerabilities - or in testing terms: test case failures. The test cases that were executed, and test case successes are not usually included in the report. There are a number of problems with this approach. Firstly, the software owner doesn t have a clear view on exactly which tests were performed. Secondly, the security tester can t guarantee that retesting the application will be performed consistently. And thirdly, since the security tests to perform are selected by the external security tester they can t be used as a security specification for the software before development even starts. The costs of performing manual retests for security assessments are also much higher than that of running automated integration tests because of the lack of the automation. AUTOMATED INTEGRATION TESTING For the purposes of this paper automated integration testing (and integration testing) refers to the practice of testing a web application at the web tier, such as by using Selenium or other browser driver type tools. Integration tests can be used to define the functional and non-functional requirements for a web application by defining passing and failing scenarios. The tests are often run using popular unit testing frameworks such as JUnit and TestNG. An example of a JUnit test which tests basic login functionality in a web application using Selenium 2 (WebDriver) could be:

4 Two tests are defined (annotated ) that describe how the login function should behave when correct and incorrect passwords are used. public void login(string username,string password) { driver.get(" driver.findelement(by.name("username")).sendkeys(username); driver.findelement(by.name("password")).sendkeys(password); public void testloginworksforcorrectcredentials() { login("bob","password"); public void testloginfailsforwrongpassword() { login("bob","messerschmidt"); assertfalse(driver.getpagesource().contains("welcome")); This approach can also be used to perform basic security tests such as: As more tests are added, they effectively become the functional specification for public void testloginbypasswithsqlinjection() { login("bob';--",""); assertfalse(driver.getpagesource().contains("welcome")); application: testthatloginworks() testthatloginwithwrongpasswordfails() testthatlogoutworks() testadditemtoshoppingcart() testcheckoutwithemptycart() testcheckoutwithfullcart() etc. These integration tests are usually written by the developers themselves, or by specialist testing houses. In cases, they require technical knowledge of a programming language in order to understand the test. This doesn t present a problem in small teams; but in larger teams where there are non-technical business analysts and/or security architects, who don t necessarily understand the programming language used, then the tests alone can t be used to define the application s specification.

5 BEHAVIOUR DRIVEN DEVELOPMENT (BDD) BDD is an evolutionary step from Test Driven Development and offers the ability to define the behaviour of an application in a more natural language. BDD is effectively a communication tool, allowing the business and security analysts to define functional and non-functional behaviour in a natural language, while still allowing that behaviour to be captured using automated tests written by developers. There are a number of BDD frameworks available for different languages, such as EasyB (Groovy), RSpec and Cucumber (Ruby), PyCukes (Python) and JBehave for Java. BDD WITH JBEHAVE JBehave uses a similar format to describing specifications (stories) as the popular Cucumber framework for Ruby, i.e. plain text using special keywords to describe the story and code that matches those statements to executable steps in Java. For example, Scenario: Test the login works with valid credentials Given the login page When the user logs in with username: bob and password: password Then the word: Welcome should be on the page Scenario: Test login fails with wrong password Given the login page When the user logs in with username: bob and password: blah Then the word: Invalid should be on the page Scenario: Test login can't be bypassed using SQL injection Given the login page When the user logs in with username: bob';-- and password: blah Then the word: Invalid should be on the page the login integration tests listed above could be translated into JBehave as follows: The words Given, When and Then are JBehave keywords, as well as And which can be used to add additional statements. A JBehave story (Specification) is compromised of individual scenarios (tests). Each step in the scenario is then mapped to Java code, e.g.:

6 @Given("the login page") public void gotologinpage() { user logs in with username: $username and password: $password") public void login(string username, String password) { driver.findelement(by.name("username")).sendkeys(username); driver.findelement(by.name("password")).sendkeys(password); word: $matchword should be on the page") public void String matchword){ assertthat(driver.getpagesource(),containsstring(matchword)); The code would be written by a developer, while the specification could be written by a business analyst, or security architect. DATA TABLES Looking at the three scenarios listed above, the steps of each scenario is identical - the only difference is the data supplied. This can be used to take advantage of another JBehave feature: tabular data input. Instead of writing three separate scenarios they can Scenario: Test login with valid and invalid data Given the login page When the user logs in with <username> and <password> Then the <matchword> should be on the page Examples: username password matchword bob password Welcome bob blah Invalid bob';-- blah Invalid be combined into one and a date table used to supply the data: THE PAGE OBJECT PATTERN THE NEED FOR ABSTRACTION Using Selenium WebDriver directly in the tests, as shown below, means that they are tied to the navigation code. A change to the web UI, such as changing the username text field name from username to uname would mean changing the tests- potentially in more than one place.

7 @When("the user logs in with username: $username and password: $password") public void login(string username, String password) { driver.findelement(by.name("username")).sendkeys(username); driver.findelement(by.name("password")).sendkeys(password); driver.findelement(by.name("update")).click(); This presents a problem for test maintenance as well as scalability of the test scripts. SIMPLE PAGE OBJECT The Page Object Pattern applies the concept of object oriented design to navigating web pages. Each page is represented by a class, and functions within that page user logs in with username: $username and password: $password") public void login(string username, String password) { loginpage.login(username, password); represented by methods in the class. This would allow the above code to be changed to: The details of how the login method is implemented is hidden from the test and can be re-used in other instances of the LoginPage class. A simple example of a Page Object public class LoginPageOrig { WebDriver driver; public LoginPageOrig(WebDriver driver) { this.driver = driver; public LoginPageOrig open() { driver.get(" return this; public void login(string username,string password) { driver.findelement(by.name("username")).sendkeys(username); driver.findelement(by.name("password")).sendkeys(password); driver.findelement(by.name("update")).click(); could be: This uses the familiar: driver.get() and driver.findelement() methods to first navigate to the page, and then set the value on certain elements.

8 ENHANCED PAGE OBJECT Selenium provides some convenience methods to implementing this pattern- and the BDD framework takes it further by creating a Page base class which leads to more public class IspatulaLoginPage extends Page { static final String url = " WebElement username; WebElement password; WebElement update; public IspatulaLoginPage(WebDriver driver) { super(url,driver); public void login(string usernameparam,string passwordparam) { username.sendkeys(usernameparam); password.sendkeys(passwordparam); update.click(); terse page objects: The WebElements are silently initialised in the parent class s open() method using WebDriver s PageFactory class. If they re not found, then an exception is thrown. By default the field names are matched to the element IDs- and if this fails, then they re matched to element names. If an alternate matching strategy is required, this can = How.LINK_TEXT, using = "click me") WebElement username; implemented using annotations: In addition to the benefit of abstraction, page objects can also be reused by different testing teams. The integration and functional testing team, who ensure that the application behaves as expected- and that it renders correctly in multiple browsers could define the page objects and these could then be re-used by the security or performance testing teams. When the UI or navigation flow is changed, it only has to be changed in the page object itself, without having to change the tests that use it. ONE MORE LEVEL OF ABSTRACTION In order to write security testing templates that can easily be applied to different web applications, it s convenient to apply another layer of abstraction and encapsulate specific features into predefined interfaces that are implemented by a single class. To this end, BDD-Security defines the following interfaces:

9 public interface ILogin { public Page interface login(credentials ILogout { credentials); Page openloginpage(); logout(); boolean isloggedin(string role); More generic features will be added in the future to cater to a wider variety of web applications, e.g. ITwoStepLogin for applications that require a secondary authentication step, after the primary. IWizardSession for applications that don t have a login, but still maintain a session which is initiated after the user enters some data. All web applications should derive from a base class, and then implement the public class IspatulaApplication extends WebApplication implements ILogin,ILogout {... appropriate methods, e.g.: GENERIC SECURITY TESTS BDD-SECURITY BDD-Security is a BDD based testing framework for web applications. It s built on JBehave and includes a number of predefined security specifications for web applications. It was designed in order to make use of re-usable page objects so that the tests should not require modification between different web applications.

10 ARCHITECTURE The security story templates make use of the user defined application class which must inherit from the parent WebApplication class. This class should then implement the predefined interfaces as is appropriate for its functionality. CONFIGURATION Each project should have a config.xml file defining various configuration settings for the tests:

11 <?xml version="1.0" encoding="iso "?> <web-app> <defaultdriver>htmlunit</defaultdriver> <burpdriver>burphtmlunit</burpdriver> <baseurl> <class>ispatulaapplication</class> </web-app> <sessionids> <name>jsessionid</name> </sessionids> <users> <user username="bob" password="password"> <role>user</role> </user> <user username="alice" password="password"> <role>user</role> </user> <user username="admin" password="password"> <role>user</role> <role>admin</role> </user> </users> <burphost> </burphost> <burpport>8080</burpport> <burpwsurl> <storyurl>src/main/stories/</storyurl> <reportsdir>reports</reportsdir> <latestreportsdir>target/jbehave/</latestreportsdir> The more important user configurable elements are detailed in the following table: Element defaultdriver burpdriver baseurl Class burphost Description The default WebDriver implementation to use. BDD-Security has subclassed popular drivers and added HTTP inspection features which are missing from the stock WebDriver implementations. Currently HtmlUnit and Firefox are the only supported options. The WebDriver used during automated testing through Burp. Currently only HtmlUnit and Firefox are supported using the values: BurpHtmlUnit and BurpFirefox The base URL for the application under test. The custom Java class that extends WebApplication. The host running resty-burp

12 Element burpport burpwsurl sessionids user Description Burp s proxy port The WS Url used to communicate to resty-burp The cookie names used to store the session IDs. The valid users of the application, currently only supports username and password authentication. role The roles that the user belongs to. In addition to the configuration file, the custom Java class defining the application should also be defined, for example:

13 public class IspatulaApplication extends WebApplication implements ILogin,ILogout { public IspatulaApplication(WebDriver driver) { super(driver); public LoginPage openloginpage() { return new LoginPage(driver).open(); public Page login(credentials credentials) { return openloginpage().login(credentials); // Convenience user/pass login method public Page login(string username,string password) { return login(new UserPassCredentials(username,password)); public Page logout() { return new LogoutPage(driver).open().logout(); public Page search(string query) { return new SearchPage(driver).open().search(query); // Check whether the given role is currently logged in. // In it's simplest form, it ignores the role. public boolean isloggedin(string role) { try { new AccountInfoPage(driver).open(); return true; catch (Exception e) { return false; Access Control Tests BDD-Security also provides a vertical access control test that can be used to test authorisation logic between users in different roles. In order to use this, two items should be configured: Firstly, the config.xml file should be updated so that users belong to specified roles (see example above). Secondly, methods that should only be visible to certain roles should be annotated with annotation in the Java class, for example:

14 public class IspatulaApplication extends WebApplication implements ILogin,ILogout public ListOrdersPage listorders() { return new ListOrdersPage(driver).open();... In order for the tests to work, the restricted method must throw an UnexpectedPageException if an unauthorised user attempts to load the page. In the example above, this is implemented by checking the text on the ListOrdersPage. In this simple online shopping applicatoin, if authorised users in the admin role view this page then the page contains the text All Orders. If an unauthorised user in any other role attempts to view the page, then that text will not be present. This behaviour is coded public class ListOrdersPage extends Page {... public final static String expectedtext = "All public ListOrdersPage open() { return public void verify() { if (!getsource().contains((expectedtext))) { throw new UnexpectedPageException("Did not find the expected text: "+expectedtext); into the page object as follows: The Page.open() method calls verify() in order to verify that it is on the correct page. By overriding the verify() method in the ListOrdersPage, the method will throw an exception if the text is not present. SECURITY TESTING STORY TEMPLATES The following predefined security stories are included in BDD-Security: Authentication Story: Security specifications that define how the authentication system should behave. Authorisation Story: A single scenario that tests vertical access control. Session Management Story: A number of scenarios describing how session management should behave. Automated Scanning: A number of scenarios using Burp as the scanner

15 AUTOMATED SCANNING Automated security scanning is a cost effective way to identify certain types of vulnerabilities in web applications. The Burp Suite testing tool is popular for manual assessments and includes plugin functionality which allows it to be extended. RESTY-BURP BDD-Security provides the overall framework for running tests, it would be convenient to be able to execute automated scans from those tests. To this end, Resty-Burp was developed, which is a burp extension that starts up an HTTP server within the Burp instance and offers control of certain Burp features over a REST/JSON API. This allows Burp to be controlled from many other languages, not just Java. The Resty- Burp software is released with a Java client by default and supports the following functions: scan $target getpercentcomplete getissues getproxyhistory get/set/update Config reset INTEGRATION WITH BDD-SECURITY BDD-Security uses the resty-burp service to perform automated scanning. In order to support this, the application class must implement the IScanWorkflow interface and public class IspatulaApplication extends WebApplication implements IScanWorkflow {... public void navigateall() { search("hello"); openloginpage().login( Config.instance().getUsers().getDefaultCredentials("user")); new AccountInfoPage(driver).open();... define the navigateall() method: The navigation code included in the navigateall() method is what is used to populate Burp s proxy logs -and therefore the scanner. Only the part of the application included in the navigateall() method will be scanned by Burp. The automated scanning performed by BDD-Security is defined in the Automated Scanning Story file.

16 PUTTING IT ALL TOGETHER BDD-Security can be run from the command line through maven, or from within an IDE by executing the StoryRunner class. Specific scenarios or entire stories can be included or excluded using meta tags. For example, to only execute the Authentication story: HTML, XML and TXT reports are generated after each run and copied both to: bdd-security/target/jbehave as well as timestamped directory in: bdd-security/reports The reports.html file provides a summary of the test execution, how many stories were included/excluded and how many scenarios passed and failed. Each story then has its own HTML report describing the scenarios in detail and their results:

17 CONCLUSION Behaviour Driven Development provides a very useful concept for defining and then executing automated security tests. The improved readability of the specifications make it suitable for use instead of, or in addition to traditional specification documents. By implementing security tests in a BDD framework, they can take advantage of the features of automated testing such as: Reliable regression testing Low cost retesting Integration into existing build tools One of the biggest advantages is that the security requirements can be defined up front by non-developers, and then interpreted and implemented by development staff.

18 The Page Object pattern allows testing code to stay free of navigation code, thereby improving maintainability and scalability. Page Objects can be re-used by different teams, but centrally managed and maintained. Changes to the page objects should not require changes to the tests that use those objects. Resty-Burp provides a standard client-server interface to the Burp Suite tool using a REST/JSON API. This allows automated test scripts to use Burp as a security scanner. The BDD-Security framework ties these concepts together to provide a generic set of executable security requirements that should be applicable to a wide variety of web applications. Furthermore, it provides a framework to easily extend the existing tests with security tests that are specific to the web application under test. TOOLS BDD-Security: Resty-Burp:

19 ABOUT THE AUTHOR Stephen de Vries is an independent Security Consultant specialising in application security and on improving the security practices in software development. Stephen has worked in the security field since 1998 and has spent the last 12 years focused on Security Assessment and Penetration Testing at Corsaire, KPMG and Internet Security Systems. He was a founding leader of the OWASP Java project and regularly presents talks on secure programming and security testing.

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd. Acunetix Web Vulnerability Scanner Getting Started V8 By Acunetix Ltd. 1 Starting a Scan The Scan Wizard allows you to quickly set-up an automated scan of your website. An automated scan provides a comprehensive

More information

Most of the security testers I know do not have

Most of the security testers I know do not have Most of the security testers I know do not have a strong background in software development. Yes, they maybe know how to hack java, reverse-engineer binaries and bypass protection. These skills are often

More information

Continuous Integration

Continuous Integration Continuous Integration WITH FITNESSE AND SELENIUM By Brian Kitchener briank@ecollege.com Intro Who am I? Overview Continuous Integration The Tools Selenium Overview Fitnesse Overview Data Dependence My

More information

Enable Your Automated Web App Testing by WebDriver. Yugang Fan Intel

Enable Your Automated Web App Testing by WebDriver. Yugang Fan Intel Enable Your Automated Web App Testing by WebDriver Yugang Fan Intel Agenda Background Challenges WebDriver BDD Behavior Driven Test Architecture Example WebDriver Based Behavior Driven Test Summary Reference

More information

Test Automation Integration with Test Management QAComplete

Test Automation Integration with Test Management QAComplete Test Automation Integration with Test Management QAComplete This User's Guide walks you through configuring and using your automated tests with QAComplete's Test Management module SmartBear Software Release

More information

Security and Vulnerability Testing How critical it is?

Security and Vulnerability Testing How critical it is? Security and Vulnerability Testing How critical it is? It begins and ends with your willingness and drive to change the way you perform testing today Security and Vulnerability Testing - Challenges and

More information

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS Published by Tony Porterfield Feb 1, 2015. Overview The intent of this test plan is to evaluate a baseline set of data security practices

More information

SOFTWARE TESTING TRAINING COURSES CONTENTS

SOFTWARE TESTING TRAINING COURSES CONTENTS SOFTWARE TESTING TRAINING COURSES CONTENTS 1 Unit I Description Objectves Duration Contents Software Testing Fundamentals and Best Practices This training course will give basic understanding on software

More information

Web Application Penetration Testing

Web Application Penetration Testing Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com

More information

Essential IT Security Testing

Essential IT Security Testing Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04

More information

(WAPT) Web Application Penetration Testing

(WAPT) Web Application Penetration Testing (WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:

More information

Application Security Testing. Generic Test Strategy

Application Security Testing. Generic Test Strategy Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication

More information

Domain Specific Languages for Selenium tests

Domain Specific Languages for Selenium tests Domain Specific Languages for Selenium tests Emily Bache, jfokus 2010 What is selenium? Selenium is a suite of tools to automate web application testing Includes Selenium RC (Remote Control) & Selenium

More information

Magento Test Automation Framework User's Guide

Magento Test Automation Framework User's Guide Magento Test Automation Framework User's Guide The Magento Test Automation Framework (MTAF) is a system of software tools used for running repeatable functional tests against the Magento application being

More information

Using Foundstone CookieDigger to Analyze Web Session Management

Using Foundstone CookieDigger to Analyze Web Session Management Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.

More information

Viewpoint. Choosing the right automation tool and framework is critical to project success. - Harsh Bajaj, Technical Test Lead ECSIVS, Infosys

Viewpoint. Choosing the right automation tool and framework is critical to project success. - Harsh Bajaj, Technical Test Lead ECSIVS, Infosys Viewpoint Choosing the right automation tool and framework is critical to project success - Harsh Bajaj, Technical Test Lead ECSIVS, Infosys Introduction Organizations have become cognizant of the crucial

More information

Kentico CMS security facts

Kentico CMS security facts Kentico CMS security facts ELSE 1 www.kentico.com Preface The document provides the reader an overview of how security is handled by Kentico CMS. It does not give a full list of all possibilities in the

More information

Testing Tools Content (Manual with Selenium) Levels of Testing

Testing Tools Content (Manual with Selenium) Levels of Testing Course Objectives: This course is designed to train the fresher's, intermediate and professionals on testing with the concepts of manual testing and Automation with Selenium. The main focus is, once the

More information

Web Applications Testing

Web Applications Testing Web Applications Testing Automated testing and verification JP Galeotti, Alessandra Gorla Why are Web applications different Web 1.0: Static content Client and Server side execution Different components

More information

QEx Whitepaper. Automation Testing Pillar: Selenium. Naveen Saxena. AuthOr: www.hcltech.com

QEx Whitepaper. Automation Testing Pillar: Selenium. Naveen Saxena. AuthOr: www.hcltech.com www.hcltech.com QEx Whitepaper Automation Testing Pillar: Selenium Business Assurance & Testing AuthOr: Naveen Saxena Working as a Test Lead, Center of Excellence Group, with HCL Technologies. Has immense

More information

GLOBAL JOURNAL OF ENGINEERING SCIENCE AND RESEARCHES

GLOBAL JOURNAL OF ENGINEERING SCIENCE AND RESEARCHES GLOBAL JOURNAL OF ENGINEERING SCIENCE AND RESEARCHES A LITERATURE SURVEY ON DESIGN AND ANALYSIS OF WEB AUTOMATION TESTING FRAMEWORK - SELENIUM Revathi. K *1 and Prof. Janani.V 2 PG Scholar, Dept of CSE,

More information

Safewhere*Identify 3.4. Release Notes

Safewhere*Identify 3.4. Release Notes Safewhere*Identify 3.4 Release Notes Safewhere*identify is a new kind of user identification and administration service providing for externalized and seamless authentication and authorization across organizations.

More information

With the use of keyword driven framework, we can automate the following test scenarios for Gmail as under :-

With the use of keyword driven framework, we can automate the following test scenarios for Gmail as under :- Volume 4, Issue 6, June 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Selenium Keyword

More information

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins During initial stages of penetration testing it is essential to build a strong information foundation before you

More information

WordPress Security Scan Configuration

WordPress Security Scan Configuration WordPress Security Scan Configuration To configure the - WordPress Security Scan - plugin in your WordPress driven Blog, login to WordPress as administrator, by simply entering the url_of_your_website/wp-admin

More information

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification Secure Web Development Teaching Modules 1 Security Testing Contents 1 Concepts... 1 1.1 Security Practices for Software Verification... 1 1.2 Software Security Testing... 2 2 Labs Objectives... 2 3 Lab

More information

SharePoint Integration Framework Developers Cookbook

SharePoint Integration Framework Developers Cookbook Sitecore CMS 6.3 to 6.6 and SIP 3.2 SharePoint Integration Framework Developers Cookbook Rev: 2013-11-28 Sitecore CMS 6.3 to 6.6 and SIP 3.2 SharePoint Integration Framework Developers Cookbook A Guide

More information

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr

More information

VERALAB LDAP Configuration Guide

VERALAB LDAP Configuration Guide VERALAB LDAP Configuration Guide VeraLab Suite is a client-server application and has two main components: a web-based application and a client software agent. Web-based application provides access to

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Automation using Selenium

Automation using Selenium Table of Contents 1. A view on Automation Testing... 3 2. Automation Testing Tools... 3 2.1 Licensed Tools... 3 2.1.1 Market Growth & Productivity... 4 2.1.2 Current Scenario... 4 2.2 Open Source Tools...

More information

Adobe Systems Incorporated

Adobe Systems Incorporated Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...

More information

About Me. #ccceu. @shapeblue. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

About Me. #ccceu. @shapeblue. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack About Me KVM, API, DB, Upgrades, SystemVM, Build system, various subsystems Contributor and Committer

More information

The Top Web Application Attacks: Are you vulnerable?

The Top Web Application Attacks: Are you vulnerable? QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding

More information

Tableau Server Trusted Authentication

Tableau Server Trusted Authentication Tableau Server Trusted Authentication When you embed Tableau Server views into webpages, everyone who visits the page must be a licensed user on Tableau Server. When users visit the page they will be prompted

More information

MS Enterprise Library 5.0 (Logging Application Block)

MS Enterprise Library 5.0 (Logging Application Block) International Journal of Scientific and Research Publications, Volume 4, Issue 8, August 2014 1 MS Enterprise Library 5.0 (Logging Application Block) Anubhav Tiwari * R&D Dept., Syscom Corporation Ltd.

More information

USING MYWEBSQL FIGURE 1: FIRST AUTHENTICATION LAYER (ENTER YOUR REGULAR SIMMONS USERNAME AND PASSWORD)

USING MYWEBSQL FIGURE 1: FIRST AUTHENTICATION LAYER (ENTER YOUR REGULAR SIMMONS USERNAME AND PASSWORD) USING MYWEBSQL MyWebSQL is a database web administration tool that will be used during LIS 458 & CS 333. This document will provide the basic steps for you to become familiar with the application. 1. To

More information

MarkLogic Server. Reference Application Architecture Guide. MarkLogic 8 February, 2015. Copyright 2015 MarkLogic Corporation. All rights reserved.

MarkLogic Server. Reference Application Architecture Guide. MarkLogic 8 February, 2015. Copyright 2015 MarkLogic Corporation. All rights reserved. Reference Application Architecture Guide 1 MarkLogic 8 February, 2015 Last Revised: 8.0-1, February, 2015 Copyright 2015 MarkLogic Corporation. All rights reserved. Table of Contents Table of Contents

More information

Design and Functional Specification

Design and Functional Specification 2010 Design and Functional Specification Corpus eready Solutions pvt. Ltd. 3/17/2010 1. Introduction 1.1 Purpose This document records functional specifications for Science Technology English Math (STEM)

More information

Web Application Vulnerability Testing with Nessus

Web Application Vulnerability Testing with Nessus The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information

More information

Agenda 10-6-2013. Polteq 1. ie-net 11 juni 2013

Agenda 10-6-2013. Polteq 1. ie-net 11 juni 2013 Behavior Driven Testing with Cucumber demystified ie-net 11 juni 2013 Agenda Who am I Scope Behavior Driven Development / Testing (BDD / BDT) Domain Specific Languages (DSL) Cucumber Bringing it all together

More information

CMP3002 Advanced Web Technology

CMP3002 Advanced Web Technology CMP3002 Advanced Web Technology Assignment 1: Web Security Audit A web security audit on a proposed eshop website By Adam Wright Table of Contents Table of Contents... 2 Table of Tables... 2 Introduction...

More information

Tableau Server Trusted Authentication

Tableau Server Trusted Authentication Tableau Server Trusted Authentication When you embed Tableau Server views into webpages, everyone who visits the page must be a licensed user on Tableau Server. When users visit the page they will be prompted

More information

SOA REFERENCE ARCHITECTURE: WEB TIER

SOA REFERENCE ARCHITECTURE: WEB TIER SOA REFERENCE ARCHITECTURE: WEB TIER SOA Blueprint A structured blog by Yogish Pai Web Application Tier The primary requirement for this tier is that all the business systems and solutions be accessible

More information

Pre-Installation Instructions

Pre-Installation Instructions Agile Product Lifecycle Management PLM Mobile Release Notes Release 2.0 E49504-02 October 2014 These Release Notes provide technical information about Oracle Product Lifecycle Management (PLM) Mobile 2.0.

More information

Certified Selenium Professional VS-1083

Certified Selenium Professional VS-1083 Certified Selenium Professional VS-1083 Certified Selenium Professional Certified Selenium Professional Certification Code VS-1083 Vskills certification for Selenium Professional assesses the candidate

More information

Using Free Tools To Test Web Application Security

Using Free Tools To Test Web Application Security Using Free Tools To Test Web Application Security Speaker Biography Matt Neely, CISSP, CTGA, GCIH, and GCWN Manager of the Profiling Team at SecureState Areas of expertise: wireless, penetration testing,

More information

Online Data Services. Security Guidelines. Online Data Services by Esri UK. Security Best Practice

Online Data Services. Security Guidelines. Online Data Services by Esri UK. Security Best Practice Online Data Services Security Guidelines Online Data Services by Esri UK Security Best Practice 28 November 2014 Contents Contents... 1 1. Introduction... 2 2. Data Service Accounts, Security and Fair

More information

Opacus Outlook Addin v3.x User Guide

Opacus Outlook Addin v3.x User Guide Opacus Outlook Addin v3.x User Guide Connecting to your SugarCRM Instance Before you can use the plugin you must first configure it to communicate with your SugarCRM instance. In order to configure the

More information

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction

More information

HP WebInspect Tutorial

HP WebInspect Tutorial HP WebInspect Tutorial Introduction: With the exponential increase in internet usage, companies around the world are now obsessed about having a web application of their own which would provide all the

More information

Web Application Guidelines

Web Application Guidelines Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security

More information

WebCruiser Web Vulnerability Scanner User Guide

WebCruiser Web Vulnerability Scanner User Guide WebCruiser Web Vulnerability Scanner User Guide Content 1. Software Introduction...2 2. Key Features...3 2.1. POST Data Resend...3 2.2. Vulnerability Scanner...6 2.3. SQL Injection...8 2.3.1. POST SQL

More information

Customer Bank Account Management System Technical Specification Document

Customer Bank Account Management System Technical Specification Document Customer Bank Account Management System Technical Specification Document Technical Specification Document Page 1 of 15 Table of Contents Contents 1 Introduction 3 2 Design Overview 4 3 Topology Diagram.6

More information

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked. This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out

More information

Selenium Automation set up with TestNG and Eclipse- A Beginners Guide

Selenium Automation set up with TestNG and Eclipse- A Beginners Guide Selenium Automation set up with TestNG and Eclipse- A Beginners Guide Authors: Eevuri Sri Harsha, Ranjani Sivagnanam Sri Harsha is working as an Associate Software Engineer (QA) for IBM Policy Atlas team

More information

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014 QualysGuard WAS Getting Started Guide Version 3.3 March 21, 2014 Copyright 2011-2014 by Qualys, Inc. All Rights Reserved. Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc.

More information

Performance Testing from User Perspective through Front End Software Testing Conference, 2013

Performance Testing from User Perspective through Front End Software Testing Conference, 2013 Performance Testing from User Perspective through Front End Software Testing Conference, 2013 Authors: Himanshu Dhingra - Overall 9+ years IT extensive experience years on Automation testing - Expertise

More information

AUTOMATING THE WEB APPLICATIONS USING THE SELENIUM RC

AUTOMATING THE WEB APPLICATIONS USING THE SELENIUM RC AUTOMATING THE WEB APPLICATIONS USING THE SELENIUM RC Mrs. Y.C. Kulkarni Assistant Professor (Department of Information Technology) Bharati Vidyapeeth Deemed University, College of Engineering, Pune, India

More information

Know the Difference. Unified Functional Testing (UFT) and Lean Functional Testing (LeanFT) from HP

Know the Difference. Unified Functional Testing (UFT) and Lean Functional Testing (LeanFT) from HP Know the Difference Unified Functional Testing (UFT) and Lean Functional Testing (LeanFT) from HP 1 Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

1. Building Testing Environment

1. Building Testing Environment The Practice of Web Application Penetration Testing 1. Building Testing Environment Intrusion of websites is illegal in many countries, so you cannot take other s web sites as your testing target. First,

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

Application Security Testing

Application Security Testing Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the

More information

STABLE & SECURE BANK lab writeup. Page 1 of 21

STABLE & SECURE BANK lab writeup. Page 1 of 21 STABLE & SECURE BANK lab writeup 1 of 21 Penetrating an imaginary bank through real present-date security vulnerabilities PENTESTIT, a Russian Information Security company has launched its new, eighth

More information

Introduction to Automated Testing

Introduction to Automated Testing Introduction to Automated Testing What is Software testing? Examination of a software unit, several integrated software units or an entire software package by running it. execution based on test cases

More information

Thick Client Application Security

Thick Client Application Security Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two

More information

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST Performed Between Testing start date and end date By SSL247 Limited SSL247 Limited 63, Lisson Street Marylebone London

More information

Authentication Methods

Authentication Methods Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

Redpaper Axel Buecker Kenny Chow Jenny Wong

Redpaper Axel Buecker Kenny Chow Jenny Wong Redpaper Axel Buecker Kenny Chow Jenny Wong A Guide to Authentication Services in IBM Security Access Manager for Enterprise Single Sign-On Introduction IBM Security Access Manager for Enterprise Single

More information

SHARPCLOUD SECURITY STATEMENT

SHARPCLOUD SECURITY STATEMENT SHARPCLOUD SECURITY STATEMENT Summary Provides details of the SharpCloud Security Architecture Authors: Russell Johnson and Andrew Sinclair v1.8 (December 2014) Contents Overview... 2 1. The SharpCloud

More information

Secure Web Service - Hybrid. Policy Server Setup. Release 9.2.5 Manual Version 1.01

Secure Web Service - Hybrid. Policy Server Setup. Release 9.2.5 Manual Version 1.01 Secure Web Service - Hybrid Policy Server Setup Release 9.2.5 Manual Version 1.01 M86 SECURITY WEB SERVICE HYBRID QUICK START USER GUIDE 2010 M86 Security All rights reserved. 828 W. Taft Ave., Orange,

More information

Creating a generic user-password application profile

Creating a generic user-password application profile Chapter 4 Creating a generic user-password application profile Overview If you d like to add applications that aren t in our Samsung KNOX EMM App Catalog, you can create custom application profiles using

More information

Application security testing: Protecting your application and data

Application security testing: Protecting your application and data E-Book Application security testing: Protecting your application and data Application security testing is critical in ensuring your data and application is safe from security attack. This ebook offers

More information

TESTING TOOLS COMP220/285 University of Liverpool slide 1

TESTING TOOLS COMP220/285 University of Liverpool slide 1 TESTING TOOLS COMP220/285 University of Liverpool slide 1 Objectives At the end of this lecture, you should be able to - Describe some common software tools - Describe how different parts of a multitier

More information

Last update: February 23, 2004

Last update: February 23, 2004 Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to

More information

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual TIBCO Spotfire Web Player 6.0 Installation and Configuration Manual Revision date: 12 November 2013 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED

More information

HackMiami Web Application Scanner 2013 PwnOff

HackMiami Web Application Scanner 2013 PwnOff HackMiami Web Application Scanner 2013 PwnOff An Analysis of Automated Web Application Scanning Suites James Ball, Alexander Heid, Rod Soto http://www.hackmiami.org Overview Web application scanning suites

More information

User Guide. You will be presented with a login screen which will ask you for your username and password.

User Guide. You will be presented with a login screen which will ask you for your username and password. User Guide Overview SurfProtect is a real-time web-site filtering system designed to adapt to your particular needs. The main advantage with SurfProtect over many rivals is its unique architecture that

More information

Check list for web developers

Check list for web developers Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation

More information

Secure Messaging Server Console... 2

Secure Messaging Server Console... 2 Secure Messaging Server Console... 2 Upgrading your PEN Server Console:... 2 Server Console Installation Guide... 2 Prerequisites:... 2 General preparation:... 2 Installing the Server Console... 2 Activating

More information

Active Directory Authentication Integration

Active Directory Authentication Integration Active Directory Authentication Integration This document provides a detailed explanation of how to integrate Active Directory into the ipconfigure Installation of a Windows 2003 Server for network security.

More information

INTRODUCTION TO ATRIUM... 2 SYSTEM REQUIREMENTS... 2 TECHNICAL DETAILS... 2 LOGGING INTO ATRIUM... 3 SETTINGS... 4 NAVIGATION PANEL...

INTRODUCTION TO ATRIUM... 2 SYSTEM REQUIREMENTS... 2 TECHNICAL DETAILS... 2 LOGGING INTO ATRIUM... 3 SETTINGS... 4 NAVIGATION PANEL... INTRODUCTION TO ATRIUM... 2 SYSTEM REQUIREMENTS... 2 TECHNICAL DETAILS... 2 LOGGING INTO ATRIUM... 3 SETTINGS... 4 CONTROL PANEL... 4 ADDING GROUPS... 6 APPEARANCE... 7 BANNER URL:... 7 NAVIGATION... 8

More information

How-to: Single Sign-On

How-to: Single Sign-On How-to: Single Sign-On Document version: 1.02 nirva systems info@nirva-systems.com nirva-systems.com How-to: Single Sign-On - page 2 This document describes how to use the Single Sign-On (SSO) features

More information

Lecture 11 Web Application Security (part 1)

Lecture 11 Web Application Security (part 1) Lecture 11 Web Application Security (part 1) Computer and Network Security 4th of January 2016 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1)

More information

Appium mobile test automation

Appium mobile test automation Appium mobile test automation for Google Android and Apple ios Last updated: 4 January 2016 Pepgo Limited, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom Contents About this document...

More information

WESTERNACHER OUTLOOK E-MAIL-MANAGER OPERATING MANUAL

WESTERNACHER OUTLOOK E-MAIL-MANAGER OPERATING MANUAL TABLE OF CONTENTS 1 Summary 3 2 Software requirements 3 3 Installing the Outlook E-Mail Manager Client 3 3.1 Requirements 3 3.1.1 Installation for trial customers for cloud-based testing 3 3.1.2 Installing

More information

www.novell.com/documentation Policy Guide Access Manager 3.1 SP5 January 2013

www.novell.com/documentation Policy Guide Access Manager 3.1 SP5 January 2013 www.novell.com/documentation Policy Guide Access Manager 3.1 SP5 January 2013 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation,

More information

CA Performance Center

CA Performance Center CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is

More information

Latest Trends in Testing. Ajay K Chhokra

Latest Trends in Testing. Ajay K Chhokra Latest Trends in Testing Ajay K Chhokra Introduction Software Testing is the last phase in software development lifecycle which has high impact on the quality of the final product delivered to the customer.

More information

SoftwarePlanner Active Directory Authentication

SoftwarePlanner Active Directory Authentication User s Guide SoftwarePlanner Active Directory Authentication This document provides an explanation of using Active Directory with SoftwarePlanner. 1 Narrative In some situations, it may be preferable to

More information

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that

More information

Integrating LivePerson with Salesforce

Integrating LivePerson with Salesforce Integrating LivePerson with Salesforce V 9.2 March 2, 2010 Implementation Guide Description Who should use this guide? Duration This guide describes the process of integrating LivePerson and Salesforce

More information

Apache Server Implementation Guide

Apache Server Implementation Guide Apache Server Implementation Guide 340 March Road Suite 600 Kanata, Ontario, Canada K2K 2E4 Tel: +1-613-599-2441 Fax: +1-613-599-2442 International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042

More information

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il Application Security Testing Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il Agenda The most common security vulnerabilities you should test for Understanding the problems

More information

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca)

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Bug Report Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.

More information

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide This document is intended to help you get started using WebSpy Vantage Ultimate and the Web Module. For more detailed information, please see

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

Research into Testing Service Oriented Architectures: Preliminary Report, November 2006

Research into Testing Service Oriented Architectures: Preliminary Report, November 2006 Research into Testing Service Oriented Architectures: Preliminary Report, November 2006 Prepared For: Contract Monitor: Avaya, Inc Dave Weiss Principal Investigator: Jeff Offutt George Mason University

More information